diff --git a/buildspec-executor.yml b/buildspec-executor.yml
index 8973fa3..a6fb2e5 100644
--- a/buildspec-executor.yml
+++ b/buildspec-executor.yml
@@ -34,7 +34,7 @@ env:
     NO_PROXY: "github.e.it.census.gov,169.254.169.254,169.254.170.2"
     # Per-build defaults (overridden via environmentVariablesOverride in Lambda)
     TARGET_ACCOUNT_ID: ""
-    CROSS_ACCOUNT_ROLE: "r-inf-terraform"
+    CROSS_ACCOUNT_ROLE: "sc-automation-codebuild-role"
     TF_RUN_START_TAG: ""
     DRY_RUN: "false"
 
@@ -113,6 +113,7 @@ phases:
           CREDS=$(aws sts assume-role \
             --role-arn "${ROLE_ARN}" \
             --role-session-name "sc-automation-${ACCOUNT_REPO}" \
+            --external-id "${TARGET_ACCOUNT_ID}" \
             --query Credentials \
             --output json)
           export AWS_ACCESS_KEY_ID=$(echo "$CREDS"     | python3 -c "import json,sys; print(json.load(sys.stdin)['AccessKeyId'])")